Commit ab4109f9 authored by Bartosz Golaszewski's avatar Bartosz Golaszewski
Browse files

gpio: sim: dispose of irq mappings before destroying the irq_sim domain 



If a GPIO simulator device is unbound with interrupts still requested,
we will hit a use-after-free issue in __irq_domain_deactivate_irq(). The
owner of the irq domain must dispose of all mappings before destroying
the domain object.

Fixes: cb8c474e ("gpio: sim: new testing module")
Signed-off-by: default avatarBartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
parent 706a7415

drivers/gpio/gpio-sim.c

+13 −0
Original line number Diff line number Diff line
@@ -291,6 +291,15 @@ static void gpio_sim_mutex_destroy(void *data) 
	mutex_destroy(lock);

}



static void gpio_sim_dispose_mappings(void *data)

{

	struct gpio_sim_chip *chip = data;

	unsigned int i;



	for (i = 0; i < chip->gc.ngpio; i++)

		irq_dispose_mapping(irq_find_mapping(chip->irq_sim, i));

}



static void gpio_sim_sysfs_remove(void *data)

{

	struct gpio_sim_chip *chip = data;
@@ -406,6 +415,10 @@ static int gpio_sim_add_bank(struct fwnode_handle *swnode, struct device *dev) 
	if (IS_ERR(chip->irq_sim))

		return PTR_ERR(chip->irq_sim);



	ret = devm_add_action_or_reset(dev, gpio_sim_dispose_mappings, chip);

	if (ret)

		return ret;



	mutex_init(&chip->lock);

	ret = devm_add_action_or_reset(dev, gpio_sim_mutex_destroy,

				       &chip->lock);